keyboard_tab Cyber Resilience Act 2023/2841 EN
BG CS DA DE EL EN ES ET FI FR GA HR HU IT LV LT MT NL PL PT RO SK SL SV print pdf
- 2 Art. 6 Cybersecurity risk-management, governance and control framework
- 1 Art. 17 Cooperation of CERT-EU with Member State counterparts
CHAPTER I
GENERAL PROVISIONS
CHAPTER II
MEASURES FOR A HIGH COMMON LEVEL OF CYBERSECURITY
CHAPTER III
INTERINSTITUTIONAL CYBERSECURITY BOARD
CHAPTER IV
CERT-EU
CHAPTER V
COOPERATION AND REPORTING OBLIGATIONS
CHAPTER VI
FINAL PROVISIONS
- Union entities
- network and information system
- security of network and information systems
- cybersecurity
- highest level of management
- near miss
- incident
- major incident
- large-scale cybersecurity incident
- incident handling
- cyber threat
- significant cyber threat
- vulnerability
- cybersecurity risk
- cloud computing service
- shall 29
- union 28
- entity 24
- cybersecurity 19
- cert-eu 16
- framework 12
- article 10
- regulation 9
- implementation 8
- affected 8
- pursuant 7
- without 7
- state 7
- information 6
- established 6
- incidents 6
- each 6
- local 6
- officer 5
- basis 5
- member 5
- within 5
- highest_level_of_management 5
- the 5
- directive 4
- identity 4
- officials 4
- concerned 4
- staff 4
- delay 4
- relevant 4
- contact 4
- level 4
- incident 4
- point 4
- exchange 4
- head 3
- would 3
- regular 3
- single 3
- counterparts 3
- incident-specific 3
- obligations 3
- undue 3
- equivalent 3
- eu / 3
- tasks 3
- environments 3
- risk-management 3
- including 3
Article 6
Cybersecurity risk-management, governance and control framework
1. By 8 April 2025, each Union entity shall, after carrying out an initial cybersecurity review, such as an audit, establish an internal cybersecurity risk-management, governance and control framework (the ‘Framework’). The establishment of the Framework shall be overseen by and under the responsibility of the Union entity’s highest_level_of_management.
2. The Framework shall cover the entirety of the unclassified ICT environment of the Union entity concerned, including any on-premises ICT environment, operational technology network, outsourced assets and services in cloud computing environments or hosted by third parties, mobile devices, corporate networks, business networks not connected to the internet and any devices connected to those environments (ICT environment). The Framework shall be based on an all-hazards approach.
3. The Framework shall ensure a high level of cybersecurity. The Framework shall establish internal cybersecurity policies, including objectives and priorities, for the security of network_and_information_systems, and the roles and responsibilities of the Union entity’s staff tasked with ensuring the effective implementation of this Regulation. The Framework shall also include mechanisms to measure the effectiveness of the implementation.
4. The Framework shall be reviewed on a regular basis, in light of the changing cybersecurity risks, and at least every four years. Where appropriate and following a request from the Interinstitutional Cybersecurity Board established pursuant to Article 10, a Union entity’s Framework may be updated on the basis of guidance from CERT-EU on incidents identified or possible gaps observed in the implementation of this Regulation.
5. The highest_level_of_management of each Union entity shall be responsible for the implementation of this Regulation and shall oversee the compliance of its organisation with the obligations related to the Framework.
6. Where appropriate and without prejudice to its responsibility for the implementation of this Regulation, the highest_level_of_management of each Union entity may delegate specific obligations under this Regulation to senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level, within the Union entity concerned. Regardless of any such delegation, the highest_level_of_management may be held liable for infringements of this Regulation by the Union entity concerned.
7. Each Union entity shall have effective mechanisms in place to ensure that an adequate percentage of the ICT budget is spent on cybersecurity. Due account shall be taken of the Framework when establishing that percentage.
8. Each Union entity shall appoint a local cybersecurity officer or an equivalent function who shall act as its single point of contact regarding all aspects of cybersecurity. The local cybersecurity officer shall facilitate the implementation of this Regulation and report directly to the highest_level_of_management on a regular basis on the state of the implementation. Without prejudice to the local cybersecurity officer being the single point of contact in each Union entity, a Union entity may delegate certain tasks of the local cybersecurity officer with regard to the implementation of this Regulation to CERT-EU on the basis of a service level agreement concluded between that Union entity and CERT-EU, or those tasks may be shared by several Union_entities. Where those tasks are delegated to CERT-EU, the Interinstitutional Cybersecurity Board established pursuant to Article 10 shall decide whether the provision of that service is to be part of the baseline services of CERT-EU, taking into account the human and financial resources of the Union entity concerned. Each Union entity shall, without undue delay, notify CERT-EU of the local cybersecurity officer appointed and any subsequent change thereto.
CERT-EU shall establish and keep updated a list of appointed local cybersecurity officers.
9. The senior officials within the meaning of Article 29(2) of the Staff Regulations or other officials at equivalent level of each Union entity, as well as all relevant members of staff tasked with implementing the cybersecurity risk-management measures and with fulfilling obligations laid down in this Regulation, shall follow specific training on a regular basis with a view to gaining sufficient knowledge and skills in order to apprehend and assess cybersecurity risk- and management practices and their impact on the operations of the Union entity.
Article 17
Cooperation of CERT-EU with Member State counterparts
1. CERT-EU shall, without undue delay, cooperate and exchange information with Member State counterparts, in particular the CSIRTs designated or established pursuant to Article 10 of Directive (EU) 2022/2555, or, where applicable, the competent authorities and single points of contact designated or established pursuant to Article 8 of that Directive, with regard to incidents, cyber_threats, vulnerabilities, near_misses, possible countermeasures as well as best practices and on all matters relevant for improving the protection of the ICT environments of Union_entities, including by means of the CSIRTs network established pursuant to Article 15 of Directive (EU) 2022/2555. CERT-EU shall support the Commission in EU-CyCLONe established pursuant to Article 16 of Directive (EU) 2022/2555 on the coordinated management of large-scale cybersecurity incidents and crises.
2. Where CERT-EU becomes aware of a significant incident occurring within the territory of a Member State, it shall, without delay, notify any relevant counterpart in that Member State, in accordance with paragraph 1.
3. Provided that personal data are protected in accordance with applicable Union data protection law, CERT-EU shall, without undue delay, exchange relevant incident-specific information with Member State counterparts to facilitate detection of similar cyber_threats or incidents, or to contribute to the analysis of an incident, without the authorisation of the Union entity affected. CERT-EU shall exchange incident-specific information which reveals the identity of the target of the incident only in the event of one of the following:
| (a) | the Union entity affected consents; |
| (b) | the Union entity affected does not consent as provided for in point (a) but the disclosure of the identity of the Union entity affected would increase the probability that incidents elsewhere would be avoided or mitigated; |
| (c) | the Union entity affected has already made public that it was affected. |
Decisions to exchange incident-specific information which reveals the identity of the target of the incident pursuant to the first subparagraph, point (b), shall be endorsed by the Head of CERT-EU. Prior to issuing such a decision, CERT-EU shall contact the Union entity affected in writing, explaining clearly how the disclosure of its identity would help to avoid or mitigate incidents elsewhere. The Head of CERT-EU shall provide the explanation and explicitly request the Union entity to state whether it consents within a set timeframe. The Head of CERT-EU shall also inform the Union entity that, in light of the explanation provided, he or she reserves the right to disclose the information even in the absence of consent. The Union entity affected shall be informed before the information is disclosed.
whereas